Comment 2 for bug 28042
Revision history for this message
|
|
#2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
severity 345595 grave
tag 345595 + security
found 345595 6:6.0.6.2-2.4
thanks
On Mon, Jan 02, 2006 at 06:09:05AM +0200, Eero Häkkinen wrote:
> In libMagick, DisplayImageCommand first allocates an image index array
> with a size based on argc and then expands arguments containing glob
> patterns which may result an increase of argc. However, the image index
> array is not increased in any case.
>
> The image index array should be allocated after the expansion of
> arguments.
This is a heap overflow from user-supplied data. As 'display' is
registered as a mime handler, it might be exploited with a little user
interaction. Marking as a security bug and raising severity. Sarge is
affected. I've checked that 'display' is the only command where
ExpandFilenames() is called after allocations that rely on argc. The
other tools from the ImageMagick suite look fine with regard to this
bug.
(Also, GraphicsMagick does not seem to suffer from this bug, but that's
mostly a note to myself.)
Regards,
Daniel.